Michael Zimmer Keynote

advertisement
Research, the Cloud, and the IRB:
NEW OPPORTUNITIES :: NEW CHALLENGES
Michael Zimmer, PhD
Assistant Professor, School of Information Studies
Director, Center for Information Policy Research
University of Wisconsin-Milwaukee
zimmerm@uwm.edu
www.michaelzimmer.org
• Anyone who has studied the history of
technology knows that technological change is
always a Faustian bargain
• Technology giveth and technology taketh away,
and not always in equal measure.
• A new technology sometimes creates more than
it destroys. Sometimes, it destroys more than it
creates. But it is never one-sided.
•
10/12/2012
Virginia IRB Consortium Conference
Neil Postman
2
Agenda
• What is Cloud Computing?
• Opportunities for Use in Research
• Ethical Dimensions
•
•
•
•
Subject confidentiality & anonymity
Data privacy & security
Data ownership & stewardship
Research integrity & authorship
• Conceptual Gaps & Policy Vacuums
• What can Researchers and IRBs do?
10/12/2012
Virginia IRB Consortium Conference
3
What is Cloud Computing?
KEXINO (CC BY-NC-ND 2.0) http://www.flickr.com/photos/kexino/4202662815/
10/12/2012
Virginia IRB Consortium Conference
4
What is Cloud Computing?
• On-demand, network-based access to computing
recourses
• Features
Location independent; supports increased mobility
• Flexible, scalable, robust
• On-demand performance; big data processing
• Little (if any) local support or maintenance
•
10/12/2012
Virginia IRB Consortium Conference
5
What is Cloud Computing?
• Milestones
•
•
•
•
•
1999 – Salesforce.com delivers enterprise services via the
web
2002 – Amazon Web Services (storage, computation, human
intelligence via the cloud)
2004 – Gmail reboots web-based email, follows with Google
Docs
2006 – Amazon’s Elastic Compute Cloud (EC2)
2007 – IBM shifts focus to the cloud
• Popularity
As early as 2008, 69 percent of Americans were using
webmail services, storing data online, or otherwise using
software programs located on the web
• By 2011, 80% of Fortune 500 companies use IBM cloud
•
10/12/2012
Virginia IRB Consortium Conference
6
3 Layers of Cloud Computing
http://en.wikipedia.org/wiki/File:Cloud_computing.svg (CC BY-SA 3.0)
10/12/2012
Virginia IRB Consortium Conference
7
Application Layer
• “Software as a service”
• Providing productivity applications via the Web;
no local software needed
10/12/2012
Virginia IRB Consortium Conference
8
Platform Layer
• “Platform as a service”
• Providing application development platforms and
operating systems via the Web
• Can deploy applications without needing your
own infrastructure or distribution channels
10/12/2012
Virginia IRB Consortium Conference
9
Infrastructure Layer
• “Infrastructure as a service”
• Provide computing infrastructure on demand
• Outsourcing servers, storage, network
equipment, processing power, data centers
10/12/2012
Virginia IRB Consortium Conference
10
Research Opportunities for Cloud
Computing
• Application layer
•
•
Most common and easiest application of cloud
Data gathering, storage, collaboration
• Platform layer
•
Hosted apps for recruitment & surveys
• Infrastructure layer
•
•
Access to increased processing power for large-scale
research projects
Some non-traditional uses
10/12/2012
Virginia IRB Consortium Conference
11
Research Opportunities: Applications
• Data gathering using web-based survey
applications
SurveyMonkey
• Zoomerang
• Qualtrics
•
• Typically used “in the wild”, sometimes
institutionally-bound
10/12/2012
Virginia IRB Consortium Conference
12
Research Opportunities: Applications
• Data storage & sharing using cloud-based
applications
Dropbox
• Box.net
• iCloud
•
• Communication & collaboration using cloudbased applications
•
•
•
Gmail, IM, Skype
Google Docs, Office Live
Wikis
10/12/2012
Virginia IRB Consortium Conference
13
Research Opportunities: Platforms
• With skilled programmers, can build custom apps
to deploy via cloud-based platforms
Subject recruitment and screening apps on Facebook
• Building and deploying test instruments within online
gaming platforms
• Monitoring and activity tracking apps on mobile device
platforms
•
10/12/2012
Virginia IRB Consortium Conference
14
Research Opportunities: Infrastructure
• Leverage cloud-based computing infrastructures to
handle resource-intensive processing tasks
•
•
Clinical trial data storage & processing
Sharing extremely large databases
• Innovative, non-traditional use of cloud-based
processing “resources”
•
•
•
____@Home (distributed computing)
Fold.It
Amazon Mechanical Turk
10/12/2012
Virginia IRB Consortium Conference
15
Fold.It
• Web-based puzzle video game to assist with
protein folding research
• Leverage millions of gamers to assist in data
processing
10/12/2012
Virginia IRB Consortium Conference
16
Fold.It
http://fold.it/
10/12/2012
Virginia IRB Consortium Conference
17
Fold.It
• Web-based puzzle video game to assist with
protein folding research
• Leverage millions of gamers to assist in data
processing
• Players produced an accurate 3D model of and
AIDS-related enzyme in just 10 days
•
Researchers had been trying for 15 years
10/12/2012
Virginia IRB Consortium Conference
18
Amazon Mechanical Turk
• Facilitates outsourcing of computational or other
mundane tasks
• Requesters post “Human Intelligence Tasks”
offering minimal fees
• Workers select tasks to complete for
micropayments
10/12/2012
Virginia IRB Consortium Conference
19
Amazon Mechanical Turk
10/12/2012
Virginia IRB Consortium Conference
20
3 Layers of Cloud Computing
http://en.wikipedia.org/wiki/File:Cloud_computing.svg (CC BY-SA 3.0)
10/12/2012
Virginia IRB Consortium Conference
21
Ethical Dimensions
• Subject confidentiality & anonymity
• Data privacy & security
• Data ownership & stewardship
• Research integrity & authorship
10/12/2012
Virginia IRB Consortium Conference
22
Subject Confidentiality & Anonymity
• When recruiting subjects or collecting data with
cloud-based applications…
•
•
•
Are IP addresses logged in such a way to allow reidentification of subjects
Using a Facebook app might provide researchers access
to unnecessary personal information
Are cloud providers tracking data and usage
themselves? Delivering ads? Selling user data?
10/12/2012
Virginia IRB Consortium Conference
23
Data Privacy & Security
• Critical concern of any cloud system, takes on even
more importance when dealing with subject data
•
•
•
Are cloud-based communication and collaboration systems
using SSL encryption?
Is data stored on cloud-servers encrypted?
What is service’s policy regarding 3rd party access
•
•
•
Advertisers
Investigative inquiry vs. subpoena vs. warrants?
Electronic Communication Privacy Act (ECPA)
10/12/2012
Virginia IRB Consortium Conference
24
Data Ownership & Stewardship
• Who owns, and who controls (meta)data in the
cloud?
•
•
•
•
Are you granting the cloud provider any license to use your
data or activities (for advertising, data mining, etc)?
Can you ensure data remains in the U.S.?
Can data be destroyed on demand, including backups?
Can you ensure cloud provider won’t hold your data
“hostage”, or disappear?
10/12/2012
Virginia IRB Consortium Conference
25
Research Integrity & Authorship
• Should researchers rely on cloud-based data
processing and analysis?
•
•
•
Can you trust (or audit?) external/collaborative processing
platforms
Ethical to use Mechanical Turk, or otherwise outsource
mundane tasks to unknown persons for nominal wages?
Authorship claims?
10/12/2012
Virginia IRB Consortium Conference
26
Conceptual Gaps & Policy Vacuums
• Emergence of new technologies often lead to
conceptual gaps in how we think about ethical
problems, and reveal policy vacuums for how we
should best address them
•
•
Computer technology transforms “many of our human
activities and social institutions,” and will “leave us with
policy and conceptual vacuums about how to use
computer technology”
“Often, either no policies for conduct in these
situations exist or existing policies seem inadequate.
•
10/12/2012
Jim Moor, “What is Computer Ethics?”
Virginia IRB Consortium Conference
27
Conceptual Gaps & Policy Vacuums
• The fluidity and complexity of cloud-based tools
and platforms creates potential conceptual gaps
•
•
Are these ethical dimensions merely the same as before,
or fundamentally different due to the cloud?
Does the nature of anonymity, privacy, consent, even
harm change when dealing with cloud-based research?
10/12/2012
Virginia IRB Consortium Conference
28
Conceptual Gap: Privacy
• Presumption that because subjects make information
available on a cloud-based service, they don’t have an
expectation of privacy
Researchers/IRBs might assume everything is always public, and
was meant to be
• Assumes no harm could come to subjects if data is already
“public”
•
• New ethical problems…
Ignores contextual nature of sharing
• Fails to recognize the strict dichotomy of public/private doesn’t
apply in the 2.0 world
• Need to track if ToS/architecture have changed, or if users even
understand what is available to researchers
•
Nissenbaum, H. 2011. “Privacy in Context: Technology,
Policy, and the Integrity of Social Life”
10/12/2012
Virginia IRB Consortium Conference
29
Conceptual Gap: Anonymity vs.
Identifiability
• Presumption that stripping names & other obvious
identifiers provides sufficient anonymity when
sharing data in the cloud
•
Assumes only PII allows re-identification
• New ethical problems…
•
•
Ignores how anything can potentially identifiable
information and become the “missing link” to re-identify
an entire dataset
“Anonymous” datasets are not achievable and provides
false sense of protection
Ohm, P. “Broken promises of privacy: Responding to the
surprising failure of anonymization.” UCLA Law Review
10/12/2012
Virginia IRB Consortium Conference
30
Conceptual Gap: Consent
• Presumption that because something is shared or
available without a password, the subject is
consenting to it being harvested for research
•
Assumes no harm can come from use of data already
shared with friends or other contextually-bound circles
• New ethical problems…
•
•
Must recognize that a user making something public
online comes with a set of assumptions/expectations
about who can access and how
Must recognize how research methods might allow unanticipated access to “restricted” data
10/12/2012
Virginia IRB Consortium Conference
31
Conceptual Gap: Harm
• Presumption that “harm” means risk of physical or
tangible impact on subject
•
Researchers often imply “data is already public, so what
harm could possibly happen”
• New ethical problems
•
Must move beyond the concept of harm as requiring a
tangible consequence
•
•
Protecting from harm is more than protecting from hackers,
spammers, identity thieves, etc
Consider dignity/autonomy theories of harm
•
•
Must a “wrong” occur for there to be damage to the subject?
Do subjects deserve control over the use of their data streams?
10/12/2012
Virginia IRB Consortium Conference
32
Conceptual Gap: Human Subjects
• Researchers (esp. CompSci) often interact only
with datasets, objects, or avatars, thus feel a
conceptual distance from an actual human
•
Often don’t consider what they do as “human subject”
research
• New ethical problems
•
•
Must bridge this (artificial) distance between
researcher and the actual human subject
Also consider other stakeholders within the complex
arrangement of information intermediaries
Carpenter, K & Dittrich, D. “Bridging the Distance: Removing the Technology Buffer and
Seeking Consistent Ethical Analysis in Computer Security Research”
10/12/2012
Virginia IRB Consortium Conference
33
Conceptual Gaps & Policy Vacuums
• The fluidity and complexity of cloud-based tools and
platforms creates potential conceptual gaps
Are these ethical dimensions merely the same as before, or
fundamentally different due to the cloud?
• Does the nature of anonymity, privacy, consent, even harm
change when dealing with cloud-based research?
•
• Leaving researchers & IRBs with considerable policy
vacuums
How should researchers deal with using the cloud in their
projects?
• How should IRBs review them?
•
• And how can we ensure good research still gets done…
10/12/2012
Virginia IRB Consortium Conference
34
What can Researchers & IRBs do?
- broadly
• Get educated, find recourses
•
•
Events like today; PRIM&R
Utilize disciplinary resources
•
•
•
For example: “Ethical decision-making and Internet research:
Recommendations from the AoIR Ethics Working Committee”
Keep up on research
Utilize experts
• Look for guidance
•
Increased attention hopefully will prompt guidance
from HHS and related regulatory bodies
10/12/2012
Virginia IRB Consortium Conference
35
What can Researchers & IRBs do?
- practically
• Read and understand the Terms of Service
•
Incorporate in risk analysis
• Include mention of cloud-based services in
consent forms
•
Level of detail?
• Monitor/audit cloud services over life of project
•
Have terms or practices changed?
• All this is new, complex, and difficult…
10/12/2012
Virginia IRB Consortium Conference
36
• Anyone who has studied the history of
technology knows that technological change is
always a Faustian bargain
• Technology giveth and technology taketh away,
and not always in equal measure.
• A new technology sometimes creates more than
it destroys. Sometimes, it destroys more than it
creates. But it is never one-sided.
•
10/12/2012
Virginia IRB Consortium Conference
Neil Postman
37
Research, the Cloud, and the IRB:
NEW OPPORTUNITIES :: NEW CHALLENGES
Michael Zimmer, PhD
Assistant Professor, School of Information Studies
Director, Center for Information Policy Research
University of Wisconsin-Milwaukee
zimmerm@uwm.edu
www.michaelzimmer.org
Download